X-Git-Url: https://bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fssl%2Fssl_hs_common.t0;h=962daa772e264745eb1c28eaee39a362d5b90cd8;hp=05b1797c18fd906516ebfb0b331d46b7fad667f5;hb=ea95d8264c6aefe742a9c3f4f9d834b188566a29;hpb=2b738493bd16d57fdb12d38d03631981370259be;ds=sidebyside

diff --git a/src/ssl/ssl_hs_common.t0 b/src/ssl/ssl_hs_common.t0
index 05b1797..962daa7 100644
--- a/src/ssl/ssl_hs_common.t0
+++ b/src/ssl/ssl_hs_common.t0
@@ -754,6 +754,10 @@ cc: mkrand ( addr len -- ) {
 \ -- PRF for TLS-1.2:
 \       4  with SHA-256
 \       5  with SHA-384
+\
+\ WARNING: if adding a new cipher suite that does not use SHA-256 for the
+\ PRF (with TLS 1.2), be sure to check the suites_sha384[] array defined
+\ in ssl/ssl_keyexport.c
 
 data: cipher-suite-def
 
@@ -1019,21 +1023,22 @@ cc: switch-chapol-in ( is_client prf_id -- ) {
 cc: compute-Finished-inner ( from_client prf_id -- ) {
 	int prf_id = T0_POP();
 	int from_client = T0_POPi();
-	unsigned char seed[48];
-	size_t seed_len;
+	unsigned char tmp[48];
+	br_tls_prf_seed_chunk seed;
 
 	br_tls_prf_impl prf = br_ssl_engine_get_PRF(ENG, prf_id);
+	seed.data = tmp;
 	if (ENG->session.version >= BR_TLS12) {
-		seed_len = br_multihash_out(&ENG->mhash, prf_id, seed);
+		seed.len = br_multihash_out(&ENG->mhash, prf_id, tmp);
 	} else {
-		br_multihash_out(&ENG->mhash, br_md5_ID, seed);
-		br_multihash_out(&ENG->mhash, br_sha1_ID, seed + 16);
-		seed_len = 36;
+		br_multihash_out(&ENG->mhash, br_md5_ID, tmp);
+		br_multihash_out(&ENG->mhash, br_sha1_ID, tmp + 16);
+		seed.len = 36;
 	}
 	prf(ENG->pad, 12, ENG->session.master_secret,
 		sizeof ENG->session.master_secret,
 		from_client ? "client finished" : "server finished",
-		seed, seed_len);
+		1, &seed);
 }
 
 \ Receive ChangeCipherSpec and Finished from the peer.