commit 51d3ab544f46dc5eda6fbd5560f4fddba76215d6
author Ron Eldor <Ron.Eldor@arm.com> Sun May 12 14:54:30 2019 +0300
committer Ron Eldor <Ron.Eldor@arm.com> Wed May 15 13:53:02 2019 +0300
tree 8b9b365b816192ea51d174cee341d436ee1c2384
parent b7fd64ce2bb861d0ce2f3614ad0ac75b4dbf860d

Add public API for tls_prf

Add a public API for key derivation, introducing an enum for `tls_prf`
type.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 620adf9..df106a5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -751,6 +751,43 @@
 #endif /* MBEDTLS_USE_PSA_CRYPTO &&
           MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
 
+int  mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
+                          const unsigned char *secret, size_t slen,
+                          const char *label,
+                          const unsigned char *random, size_t rlen,
+                          unsigned char *dstbuf, size_t dlen )
+{
+    mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
+
+    switch( prf )
+    {
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        case MBEDTLS_SSL_TLS_PRF_SSL3:
+            tls_prf = ssl3_prf;
+        break;
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        case MBEDTLS_SSL_TLS_PRF_TLS1:
+            tls_prf = tls1_prf;
+        break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_TLS_PRF_SHA384:
+            tls_prf = tls_prf_sha384;
+        break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_TLS_PRF_SHA256:
+            tls_prf = tls_prf_sha256;
+        break;
+#endif
+    default:
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
+    return( tls_prf( secret, slen, label, random, rlen, dstbuf, dlen ) );
+}
+
 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
 {
     int ret = 0;
@@ -774,6 +811,10 @@
      * "The master secret is always exactly 48 bytes in length." */
     size_t const master_secret_len = 48;
 
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    mbedtls_tls_prf_types tls_prf_type = MBEDTLS_SSL_TLS_PRF_NONE;
+#endif
+
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
     unsigned char session_hash[48];
 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
@@ -815,6 +856,9 @@
         handshake->tls_prf = ssl3_prf;
         handshake->calc_verify = ssl_calc_verify_ssl;
         handshake->calc_finished = ssl_calc_finished_ssl;
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+        tls_prf_type = MBEDTLS_SSL_TLS_PRF_SSL3;
+#endif
     }
     else
 #endif
@@ -824,6 +868,9 @@
         handshake->tls_prf = tls1_prf;
         handshake->calc_verify = ssl_calc_verify_tls;
         handshake->calc_finished = ssl_calc_finished_tls;
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+        tls_prf_type = MBEDTLS_SSL_TLS_PRF_TLS1;
+#endif
     }
     else
 #endif
@@ -835,6 +882,9 @@
         handshake->tls_prf = tls_prf_sha384;
         handshake->calc_verify = ssl_calc_verify_tls_sha384;
         handshake->calc_finished = ssl_calc_finished_tls_sha384;
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+        tls_prf_type = MBEDTLS_SSL_TLS_PRF_SHA384;
+#endif
     }
     else
 #endif
@@ -844,6 +894,9 @@
         handshake->tls_prf = tls_prf_sha256;
         handshake->calc_verify = ssl_calc_verify_tls_sha256;
         handshake->calc_finished = ssl_calc_finished_tls_sha256;
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+        tls_prf_type = MBEDTLS_SSL_TLS_PRF_SHA256;
+#endif
     }
     else
 #endif
@@ -1271,9 +1324,10 @@
         ssl->conf->f_export_keys_ext( ssl->conf->p_export_keys,
                                       session->master, keyblk,
                                       mac_key_len, keylen,
-                                      iv_copy_len, handshake->tls_prf,
+                                      iv_copy_len,
                                       handshake->randbytes + 32,
-                                      handshake->randbytes );
+                                      handshake->randbytes,
+                                      tls_prf_type);
     }
 #endif