From patchwork Sun Mar 10 12:44:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ervin Oro X-Patchwork-Id: 1054013 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=aalto.fi Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="EIV/It6a"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=aalto.fi header.i=@aalto.fi header.b="ExEPfGMs"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44HLZ82K75z9sD4 for ; Sun, 10 Mar 2019 23:45:52 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=n/XV40QXYa+E/kaGLrOVA6FzVVS6biHiRMVfjMTb4fw=; b=EIV/It6aaWmYQO 83v2GbXFAj4XwXEJ5uOGqBoMla5aeNFXhUoyagLVMA07YQz2gIDlGdPqcMcijU9TABqDSgw931ctt Eoyx/88ur6tg54hlC36qQHSXESXgdhyF4WOEwzszGcgBmdfX3rH8A2ydf0oDQvj3eVoZPZO+l8s34 15pGHKVm2rJsAyGBgEQRyLWdsh0mBWHbWNHNNtobsKyLH5N1/8nNwHnRInTnY621LyBlXQyyPNJx/ BVs0RxSuYhAR1gxgjW6tFN3ofFMEz6HTc8iD9Bq625UoS1mPDBo0Z9aS3oYFCkA7z06+UVPYLWg9L EeHy5JdEa4Jn9g/DivZw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1h2xpa-0006wn-D0; Sun, 10 Mar 2019 12:45:30 +0000 Received: from smtp-out-02.aalto.fi ([130.233.228.121]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1h2xpW-0006w5-0C for hostap@lists.infradead.org; Sun, 10 Mar 2019 12:45:29 +0000 Received: from smtp-out-02.aalto.fi (localhost.localdomain [127.0.0.1]) by localhost (Email Security Appliance) with SMTP id 975EF271246_C8505B0B for ; Sun, 10 Mar 2019 12:40:16 +0000 (GMT) Received: from exng4.org.aalto.fi (exng4.org.aalto.fi [130.233.223.23]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (Client CN "exng4.org.aalto.fi", Issuer "org.aalto.fi RootCA" (not verified)) by smtp-out-02.aalto.fi (Sophos Email Appliance) with ESMTPS id 3645D271201_C8505B0F for ; Sun, 10 Mar 2019 12:40:16 +0000 (GMT) Received: from exng5.org.aalto.fi (130.233.223.24) by exng4.org.aalto.fi (130.233.223.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Sun, 10 Mar 2019 14:45:16 +0200 Received: from DESKTOP-BM6EJS7.lan (130.233.0.5) by exng5.org.aalto.fi (130.233.223.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Sun, 10 Mar 2019 14:45:15 +0200 From: Ervin Oro To: Subject: [PATCH] Add support for an optional context parameter to tls exporter. Date: Sun, 10 Mar 2019 14:44:59 +0200 Message-ID: <20190310124459.4711-1-ervin.oro@aalto.fi> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190310094517.GA7085@w1.fi> References: <20190310094517.GA7085@w1.fi> MIME-Version: 1.0 X-Originating-IP: [130.233.0.5] X-ClientProxiedBy: exng7.org.aalto.fi (130.233.223.26) To exng5.org.aalto.fi (130.233.223.24) X-SASI-RCODE: 200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aalto.fi; h=from:to:cc:subject:date:message-id:in-reply-to:references:mime-version:content-type; s=its18; bh=4eeJpwnUhMGzdSIpN1dxDTjOMLJe2y1Es96ECCQryCs=; b=ExEPfGMsIMiwD8UWTYMTPLu86SCn9Y6+ZjsBvTHWNcpOj2cyxiJ0dyGqi+tMYq+/niiQCgIBtQcSYq73qYb3SzpAdnBp7V0RhWjTK+zaMHd+utA6C+SNeKCdNvu1uZkIEDPYHmPfuc3/ckJPKmaBuEueZzfLLj/LfmgO8Po1/76BERAgvy1OQNlsHaz0ZNH8T7uYEpcqcJfr/VdNNOWjmAYxrn/gq+2k40+offEudI7XCB9fNsbA7pVqtY2bw8AbuvmaKtd1wj7EdpHMie8+lllGhzV9Mgi4BX1Xr9c0CL09xH4/9JxBBIH56+OL2fRpaA3meM0qCvjyampZLx0RMg== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190310_054526_774813_993B3FCE X-CRM114-Status: GOOD ( 14.62 ) X-Spam-Score: -2.5 (--) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-2.5 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [130.233.228.121 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ervin Oro Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Thank you for your comments. I have amended the commit, so that this first patch now only adds context support. It does not yet implement it for the internal TLS implementation, that would be a future patch. But since currently nothing uses context yet, this will not break anything right now. WolfSSL maintainers also stated that they are not going to add context support yet, but would look into it if/when this is required by a published draft or a standard. Patch of actually using the context to calculate Key_Material and Method-Id will follow when such draft is published. --- src/crypto/tls.h | 6 ++++++ src/crypto/tls_gnutls.c | 8 ++++---- src/crypto/tls_internal.c | 5 ++++- src/crypto/tls_none.c | 3 ++- src/crypto/tls_openssl.c | 6 ++++-- src/crypto/tls_wolfssl.c | 5 ++++- src/eap_peer/eap_peap.c | 1 + src/eap_peer/eap_tls.c | 1 + src/eap_peer/eap_tls_common.c | 13 +++++++++---- src/eap_peer/eap_tls_common.h | 3 ++- src/eap_peer/eap_ttls.c | 4 +++- src/eap_server/eap_server_peap.c | 6 +++--- src/eap_server/eap_server_tls.c | 2 ++ src/eap_server/eap_server_tls_common.c | 9 +++++---- src/eap_server/eap_server_ttls.c | 6 +++--- src/eap_server/eap_tls_common.h | 3 ++- 16 files changed, 55 insertions(+), 26 deletions(-) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 413cccddc..59be04c25 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -367,15 +367,21 @@ int __must_check tls_connection_get_random(void *tls_ctx, * @tls_ctx: TLS context data from tls_init() * @conn: Connection context data from tls_connection_init() * @label: Label (e.g., description of the key) for PRF + * @context: optional extra upper-layer context (max len 2^16) + * @context_len: the length of the context value * @out: Buffer for output data from TLS-PRF * @out_len: Length of the output buffer * Returns: 0 on success, -1 on failure * * Exports keying material using the mechanism described in RFC 5705. + * + * Note: to provide the RFC5705 context, the context variable must be non-null. */ int __must_check tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, const char *label, + const unsigned char *context, + size_t context_len, u8 *out, size_t out_len); /** diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c index 527d01ecf..0a4ac5995 100644 --- a/src/crypto/tls_gnutls.c +++ b/src/crypto/tls_gnutls.c @@ -895,14 +895,14 @@ int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn, int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, - const char *label, u8 *out, size_t out_len) + const char *label, const unsigned char *context, + size_t context_len, u8 *out, size_t out_len) { if (conn == NULL || conn->session == NULL) return -1; - return gnutls_prf(conn->session, os_strlen(label), label, - 0 /* client_random first */, 0, NULL, out_len, - (char *) out); + return gnutls_prf_rfc5705(conn->session, os_strlen(label), label, + context_len, context, out_len, (char *) out); } diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c index 57b3e632d..a0eea83f8 100644 --- a/src/crypto/tls_internal.c +++ b/src/crypto/tls_internal.c @@ -449,8 +449,11 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn, int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, - const char *label, u8 *out, size_t out_len) + const char *label, const unsigned char *context, + size_t context_len, u8 *out, size_t out_len) { + if (context != NULL) + return -1; // Not implemented yet return tls_connection_prf(tls_ctx, conn, label, 0, 0, out, out_len); } diff --git a/src/crypto/tls_none.c b/src/crypto/tls_none.c index 108e9aa2e..d55431e02 100644 --- a/src/crypto/tls_none.c +++ b/src/crypto/tls_none.c @@ -94,7 +94,8 @@ int tls_connection_get_random(void *tls_ctx, struct tls_connection *conn, int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, - const char *label, u8 *out, size_t out_len) + const char *label, const unsigned char *context, + size_t context_len, u8 *out, size_t out_len) { return -1; } diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 18d76737e..4393abf71 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -3669,11 +3669,13 @@ static int openssl_get_keyblock_size(SSL *ssl) int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, - const char *label, u8 *out, size_t out_len) + const char *label, const unsigned char *context, + size_t context_len, u8 *out, size_t out_len) { if (!conn || SSL_export_keying_material(conn->ssl, out, out_len, label, - os_strlen(label), NULL, 0, 0) != 1) + os_strlen(label), context, context_len, + (context != NULL)) != 1) return -1; return 0; } diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index b59622e5e..9aa3840e2 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1970,8 +1970,11 @@ int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn, int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, - const char *label, u8 *out, size_t out_len) + const char *label, const unsigned char *context, + size_t context_len, u8 *out, size_t out_len) { + if (context != NULL) + return -1; // Not implemented in WolfSSL yet if (!conn || wolfSSL_make_eap_keys(conn->ssl, out, out_len, label) != 0) return -1; return 0; diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c index 650bea6ad..8dcf7cc29 100644 --- a/src/eap_peer/eap_peap.c +++ b/src/eap_peer/eap_peap.c @@ -1084,6 +1084,7 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, "key derivation", label); data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label, + NULL, 0, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (data->key_data) { diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c index cb747026c..ffea9d213 100644 --- a/src/eap_peer/eap_tls.c +++ b/src/eap_peer/eap_tls.c @@ -198,6 +198,7 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data, eap_tls_free_key(data); data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label, + NULL, 0, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (data->key_data) { diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 7dbd364a5..99893c5f5 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -347,6 +347,8 @@ void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data) * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() * @data: Data for TLS processing * @label: Label string for deriving the keys, e.g., "client EAP encryption" + * @context: optional extra upper-layer context (max len 2^16) + * @context_len: the length of the context value * @len: Length of the key material to generate (usually 64 for MSK) * Returns: Pointer to allocated key on success or %NULL on failure * @@ -355,9 +357,12 @@ void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data) * different label to bind the key usage into the generated material. * * The caller is responsible for freeing the returned buffer. + * + * Note: to provide the RFC5705 context, the context variable must be non-null. */ u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, - const char *label, size_t len) + const char *label, const unsigned char *context, + size_t context_len, size_t len) { u8 *out; @@ -365,8 +370,8 @@ u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, if (out == NULL) return NULL; - if (tls_connection_export_key(data->ssl_ctx, data->conn, label, out, - len)) { + if (tls_connection_export_key(data->ssl_ctx, data->conn, label, + context, context_len, out, len)) { os_free(out); return NULL; } @@ -407,7 +412,7 @@ u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm, if (!id) return NULL; method_id = eap_peer_tls_derive_key( - sm, data, "EXPORTER_EAP_TLS_Method-Id", 64); + sm, data, "EXPORTER_EAP_TLS_Method-Id", NULL, 0, 64); if (!method_id) { os_free(id); return NULL; diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h index 306e6a98b..cd2f629d9 100644 --- a/src/eap_peer/eap_tls_common.h +++ b/src/eap_peer/eap_tls_common.h @@ -99,7 +99,8 @@ int eap_peer_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, struct eap_peer_config *config, u8 eap_type); void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data); u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, - const char *label, size_t len); + const char *label, const unsigned char *context, + size_t context_len, size_t len); u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm, struct eap_ssl_data *data, u8 eap_type, size_t *len); diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c index 5d267010e..687c4b089 100644 --- a/src/eap_peer/eap_ttls.c +++ b/src/eap_peer/eap_ttls.c @@ -271,6 +271,7 @@ static int eap_ttls_v0_derive_key(struct eap_sm *sm, eap_ttls_free_key(data); data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, "ttls keying material", + NULL, 0, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (!data->key_data) { @@ -303,7 +304,8 @@ static int eap_ttls_v0_derive_key(struct eap_sm *sm, static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, struct eap_ttls_data *data, size_t len) { - return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len); + return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", + NULL, 0, len); } #endif /* CONFIG_FIPS */ diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c index 3d334a0db..92c0e5ec9 100644 --- a/src/eap_server/eap_server_peap.c +++ b/src/eap_server/eap_server_peap.c @@ -331,7 +331,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) * phase 1 of PEAP (based on TLS). */ tk = eap_server_tls_derive_key(sm, &data->ssl, "client EAP encryption", - EAP_TLS_KEY_LEN); + NULL, 0, EAP_TLS_KEY_LEN); if (tk == NULL) return -1; wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); @@ -1333,7 +1333,7 @@ static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) /* TODO: PEAPv1 - different label in some cases */ eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, - "client EAP encryption", + "client EAP encryption", NULL, 0, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (eapKeyData) { os_memset(eapKeyData + EAP_TLS_KEY_LEN, 0, EAP_EMSK_LEN); @@ -1363,7 +1363,7 @@ static u8 * eap_peap_get_emsk(struct eap_sm *sm, void *priv, size_t *len) /* TODO: PEAPv1 - different label in some cases */ eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, - "client EAP encryption", + "client EAP encryption", NULL, 0, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (eapKeyData) { emsk = os_memdup(eapKeyData + EAP_TLS_KEY_LEN, EAP_EMSK_LEN); diff --git a/src/eap_server/eap_server_tls.c b/src/eap_server/eap_server_tls.c index 13d234982..357e72a82 100644 --- a/src/eap_server/eap_server_tls.c +++ b/src/eap_server/eap_server_tls.c @@ -331,6 +331,7 @@ static u8 * eap_tls_getKey(struct eap_sm *sm, void *priv, size_t *len) else label = "client EAP encryption"; eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, label, + NULL, 0, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (eapKeyData) { *len = EAP_TLS_KEY_LEN; @@ -359,6 +360,7 @@ static u8 * eap_tls_get_emsk(struct eap_sm *sm, void *priv, size_t *len) else label = "client EAP encryption"; eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, label, + NULL, 0, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (eapKeyData) { emsk = os_malloc(EAP_EMSK_LEN); diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c index 4ba7c2499..4b847be7e 100644 --- a/src/eap_server/eap_server_tls_common.c +++ b/src/eap_server/eap_server_tls_common.c @@ -107,7 +107,8 @@ void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data) u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, - const char *label, size_t len) + const char *label, const unsigned char *context, + size_t context_len, size_t len) { u8 *out; @@ -115,8 +116,8 @@ u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, if (out == NULL) return NULL; - if (tls_connection_export_key(sm->ssl_ctx, data->conn, label, out, - len)) { + if (tls_connection_export_key(sm->ssl_ctx, data->conn, label, + context, context_len, out, len)) { os_free(out); return NULL; } @@ -157,7 +158,7 @@ u8 * eap_server_tls_derive_session_id(struct eap_sm *sm, if (!id) return NULL; method_id = eap_server_tls_derive_key( - sm, data, "EXPORTER_EAP_TLS_Method-Id", 64); + sm, data, "EXPORTER_EAP_TLS_Method-Id", NULL, 0, 64); if (!method_id) { os_free(id); return NULL; diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c index b14996b0b..52bff8afe 100644 --- a/src/eap_server/eap_server_ttls.c +++ b/src/eap_server/eap_server_ttls.c @@ -332,7 +332,7 @@ static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, struct eap_ttls_data *data, size_t len) { return eap_server_tls_derive_key(sm, &data->ssl, "ttls challenge", - len); + NULL, 0, len); } @@ -1268,7 +1268,7 @@ static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) return NULL; eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, - "ttls keying material", + "ttls keying material", NULL, 0, EAP_TLS_KEY_LEN); if (eapKeyData) { *len = EAP_TLS_KEY_LEN; @@ -1310,7 +1310,7 @@ static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len) return NULL; eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, - "ttls keying material", + "ttls keying material", NULL, 0, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (eapKeyData) { emsk = os_malloc(EAP_EMSK_LEN); diff --git a/src/eap_server/eap_tls_common.h b/src/eap_server/eap_tls_common.h index 31f6e72d7..36bf1949c 100644 --- a/src/eap_server/eap_tls_common.h +++ b/src/eap_server/eap_tls_common.h @@ -78,7 +78,8 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data, int verify_peer, int eap_type); void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data); u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, - const char *label, size_t len); + const char *label, const unsigned char *context, + size_t context_len, size_t len); u8 * eap_server_tls_derive_session_id(struct eap_sm *sm, struct eap_ssl_data *data, u8 eap_type, size_t *len);