diff --git a/src/eap-peap.c b/src/eap-peap.c index b6f81f3e..5c917c06 100644 --- a/src/eap-peap.c +++ b/src/eap-peap.c @@ -29,8 +29,6 @@ #include #include -#include "ell/tls-private.h" - #include "eap.h" #include "eap-private.h" @@ -495,7 +493,6 @@ static void eap_peap_tunnel_ready(const char *peer_identity, void *user_data) struct eap_peap_state *peap = eap_get_data(eap); uint8_t msk_emsk[128]; - uint8_t random[64]; /* * PEAPv1: draft-josefsson-pppext-eap-tls-eap-05, Section 2.1.1 @@ -515,14 +512,8 @@ static void eap_peap_tunnel_ready(const char *peer_identity, void *user_data) eap_start_complete_timeout(eap); /* MSK, EMSK and challenge derivation */ - memcpy(random + 0, peap->tunnel->pending.client_random, 32); - memcpy(random + 32, peap->tunnel->pending.server_random, 32); - - l_tls_prf_get_bytes(peap->tunnel, L_CHECKSUM_SHA256, 32, - peap->tunnel->pending.master_secret, - sizeof(peap->tunnel->pending.master_secret), - "client EAP encryption", random, 64, - msk_emsk, 128); + l_tls_prf_get_bytes(peap->tunnel, L_CHECKSUM_SHA256, 32, true, + "client EAP encryption", msk_emsk, 128); eap_set_key_material(eap, msk_emsk + 0, 64, NULL, 0, NULL, 0); diff --git a/src/eap-tls.c b/src/eap-tls.c index fdc499b0..ed0258e2 100644 --- a/src/eap-tls.c +++ b/src/eap-tls.c @@ -29,8 +29,6 @@ #include #include -#include "ell/tls-private.h" - #include "eap.h" #include "eap-private.h" @@ -137,7 +135,6 @@ static void eap_tls_ready_cb(const char *peer_identity, void *user_data) struct eap_tls_state *tls = eap_get_data(eap); uint8_t msk_emsk[128]; uint8_t iv[64]; - uint8_t seed[64]; /* TODO: if we have a CA certificate require non-NULL peer_identity */ @@ -147,19 +144,10 @@ static void eap_tls_ready_cb(const char *peer_identity, void *user_data) eap_start_complete_timeout(eap); /* MSK, EMSK and IV derivation */ - memcpy(seed + 0, tls->tls->pending.client_random, 32); - memcpy(seed + 32, tls->tls->pending.server_random, 32); - - l_tls_prf_get_bytes(tls->tls, L_CHECKSUM_SHA256, 32, - tls->tls->pending.master_secret, - sizeof(tls->tls->pending.master_secret), - "client EAP encryption", seed, 64, - msk_emsk, 128); - l_tls_prf_get_bytes(tls->tls, L_CHECKSUM_SHA256, 32, NULL, 0, - "client EAP encryption", seed, 64, - iv, 64); - - memset(seed, 0, 64); + l_tls_prf_get_bytes(tls->tls, L_CHECKSUM_SHA256, 32, true, + "client EAP encryption", msk_emsk, 128); + l_tls_prf_get_bytes(tls->tls, L_CHECKSUM_SHA256, 32, false, + "client EAP encryption", iv, 64); eap_set_key_material(eap, msk_emsk + 0, 64, msk_emsk + 64, 64, iv, 64); } diff --git a/src/eap-ttls.c b/src/eap-ttls.c index 1a91d025..1adf3658 100644 --- a/src/eap-ttls.c +++ b/src/eap-ttls.c @@ -29,8 +29,6 @@ #include #include -#include "ell/tls-private.h" - #include "util.h" #include "eap.h" #include "eap-private.h" @@ -455,18 +453,8 @@ static void eap_ttls_phase2_chap_generate_challenge(struct l_tls *tunnel, uint8_t *challenge, size_t challenge_len) { - uint8_t seed[64]; - - memcpy(seed + 0, tunnel->pending.client_random, 32); - memcpy(seed + 32, tunnel->pending.server_random, 32); - - l_tls_prf_get_bytes(tunnel, L_CHECKSUM_SHA256, 32, - tunnel->pending.master_secret, - sizeof(tunnel->pending.master_secret), - "ttls challenge", seed, 64, - challenge, challenge_len); - - memset(seed, 0, 64); + l_tls_prf_get_bytes(tunnel, L_CHECKSUM_SHA256, 32, true, + "ttls challenge", challenge, challenge_len); } static bool eap_ttls_phase2_chap_init(struct eap_state *eap) @@ -696,7 +684,6 @@ static void eap_ttls_ready_cb(const char *peer_identity, void *user_data) struct eap_state *eap = user_data; struct eap_ttls_state *ttls = eap_get_data(eap); uint8_t msk_emsk[128]; - uint8_t seed[64]; /* TODO: if we have a CA certificate require non-NULL peer_identity */ @@ -710,16 +697,8 @@ static void eap_ttls_ready_cb(const char *peer_identity, void *user_data) eap_method_success(eap); /* MSK, EMSK and challenge derivation */ - memcpy(seed + 0, ttls->tls->pending.client_random, 32); - memcpy(seed + 32, ttls->tls->pending.server_random, 32); - - l_tls_prf_get_bytes(ttls->tls, L_CHECKSUM_SHA256, 32, - ttls->tls->pending.master_secret, - sizeof(ttls->tls->pending.master_secret), - "ttls keying material", seed, 64, - msk_emsk, 128); - - memset(seed, 0, 64); + l_tls_prf_get_bytes(ttls->tls, L_CHECKSUM_SHA256, 32, true, + "ttls keying material", msk_emsk, 128); eap_set_key_material(eap, msk_emsk + 0, 64, msk_emsk + 64, 64, NULL, 0); diff --git a/unit/test-eapol.c b/unit/test-eapol.c index c40eb624..56a32db9 100644 --- a/unit/test-eapol.c +++ b/unit/test-eapol.c @@ -30,8 +30,6 @@ #include #include -#include "ell/tls-private.h" - #include "src/util.h" #include "src/eapol.h" #include "src/crypto.h" @@ -2840,20 +2838,14 @@ static void eapol_sm_test_tls_test_ready(const char *peer_identity, void *user_data) { struct eapol_8021x_tls_test_state *s = user_data; - uint8_t seed[64]; assert(!s->tx_ack); /* TODO: require the right peer_identity */ s->success = true; - memcpy(seed + 0, s->tls->pending.client_random, 32); - memcpy(seed + 32, s->tls->pending.server_random, 32); - - l_tls_prf_get_bytes(s->tls, L_CHECKSUM_SHA256, 32, - s->tls->pending.master_secret, - sizeof(s->tls->pending.master_secret), - "client EAP encryption", seed, 64, s->pmk, 32); + l_tls_prf_get_bytes(s->tls, L_CHECKSUM_SHA256, 32, true, + "client EAP encryption", s->pmk, 32); } static void eapol_sm_test_tls_test_disconnected(enum l_tls_alert_desc reason, @@ -3164,19 +3156,12 @@ static void eapol_sm_test_eap_ttls_test_ready(const char *peer_identity, void *user_data) { struct eapol_8021x_eap_ttls_test_state *s = user_data; - uint8_t seed[64]; assert(!s->tls.tx_ack); /* TODO: require the right peer_identity */ - memcpy(seed + 0, s->tls.tls->pending.client_random, 32); - memcpy(seed + 32, s->tls.tls->pending.server_random, 32); - - l_tls_prf_get_bytes(s->tls.tls, L_CHECKSUM_SHA256, 32, - s->tls.tls->pending.master_secret, - sizeof(s->tls.tls->pending.master_secret), - "ttls keying material", seed, 64, - s->tls.pmk, 32); + l_tls_prf_get_bytes(s->tls.tls, L_CHECKSUM_SHA256, 32, true, + "ttls keying material", s->tls.pmk, 32); s->challenge_sent = false; }