From patchwork Thu Sep 11 20:17:13 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 4403
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:b149:b0:671:5a2c:6455 with SMTP id s9csp3391578maw;
        Thu, 11 Sep 2025 13:17:35 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCVZxolxTJujPmilsNTM7w+PiE1J4/mXhMak1zhnjIKAoeMxczeVhYQpYmfnrrnEjM/qA0GPaOB2Vrw=@openvpn.net
X-Google-Smtp-Source: 
 AGHT+IHGjMe3goglBtJi/X68LLXDVSQx7sv4y1km91s8ilfZ0swSYUMv8vtT5lKHL5L4S2AIiJ4A
X-Received: by 2002:a05:6870:a922:b0:321:80a7:a19b with SMTP id
 586e51a60fabf-32e558cc637mr239557fac.21.1757621855705;
        Thu, 11 Sep 2025 13:17:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1757621855; cv=none;
        d=google.com; s=arc-20240605;
        b=LKADpUfXlHVxf5re4DyBwM8qH+rFMuvo9U9mTeFfUxKy9dri6EAqTnHC3wZ5JMq2UD
         /3+fJ1tMb+o20CMRYcI1FJ5PIUPORngiTKWW7J0C/Jc6y/E/bsNiqzDJ9NPJEbnGUAbq
         6obu1Zywo3+ohv79CyLkRU66U7qndAHYlTOGPQ1jFIdx4ScVdH8NI662fOwaf9P3YTng
         pt84oxL2Arx4vqclqnhgTirY0OHUL0GDKZ2l2tFJNzsdDsnUQKLrhQE70y/Wjf/KRuMp
         J3hTdpUmJuTkNW0UNqDnpoOQN7k5neoxZ9bnMPOsgBzYjV4UPEkY/jH9LQ9INt9ePqf8
         mAIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=uv7rVDsKMzKyQK5k0rlUK8REs0MXv7q2qdv0GRuIOm0=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=eTZbRq/aJDmJdJkhWzdkyU4HASmkigzivBDpyZdNcqJYOO3N1ZyXLyJa0KoENcDNJD
         F/BSSG5KrkVaeXhXAXAObVV9bEOwkIV2XsIRY/LrjKvEqEKdJqFRVvhUUX/73TbAXYBm
         iAnedNVCjrm49Hw7bGlfDWP7FjK3o7wGcs/5RD+yrLOzjSmOPe9sKlQCqlcJtAGL9YDq
         tRGgpO9CHs3iWpj5W2dR69/TgDaxQ6aa1oQ57HF9RmSYK6ZTnLyG+PUaunBMRNihza71
         XvCo879fewYHSpFUy9XEV9PiJ1YK8allSo0wsxGnhtdbkaL2+zZ+vNMZ/WuXB8oupMAE
         P4TA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b="MUEPcS/0";
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=cUb+E++u;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="MMiMy/MX";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 586e51a60fabf-32d364e0606si590639fac.390.2025.09.11.13.17.35
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 11 Sep 2025 13:17:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b="MUEPcS/0";
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=cUb+E++u;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="MMiMy/MX";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=uv7rVDsKMzKyQK5k0rlUK8REs0MXv7q2qdv0GRuIOm0=; b=MUEPcS/0KCie6qJXoGpw+dqrUK
	sS0W5XzTB1aiyE+U9TqMcNkR4vepcC9siO9wYbMFPfFD2mtED6CGCrGGaFihiQ1aBM1IbPPbvyxK7
	DVn1IhpObMYjUwVuJAPYF3tDGc2uDjjWSFMt8gmDSmmrq0Je77N3NoIsYLIUAoy/NS/s=;
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
	by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1uwnjZ-0005FN-8C;
	Thu, 11 Sep 2025 20:17:33 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue4.greenie.muc.de>) id 1uwnjY-0005FG-59
 for openvpn-devel@lists.sourceforge.net;
 Thu, 11 Sep 2025 20:17:32 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=OcO0coNL3YD2V2PkKxxzW50NDH0luUBQxPYZfHEv9AU=; b=cUb+E++uuK92+HUv3YMyJvH+EC
 rmNWVkkF/7iH7EAZ1Oj1noZMELu94f6pGsD3Bm4n+qIL1CTZG9bwm5K4Hik6IfPndlWY60rGgyfkQ
 aZEhB5d+UuYdPa05aTZhZ4/Tmngslc54uK8tdM11Q7ioQ3Y04rp+Bre9csmXt05wrfnA=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=OcO0coNL3YD2V2PkKxxzW50NDH0luUBQxPYZfHEv9AU=; b=MMiMy/MXVIUP7qOm2vXmPxJcW5
 3KlM6qqa8X5Bxk7BFh7Szyj5OAHJ/4s86bW6tswe+WGkUO/8TckkvFolZ5omiA60gM5qVJkt6ZjZq
 e+4W7LOJqg6uMYPQpKljj67sBuwRCeA7dqJJeKvzc4ftZYOeeMHAuDniPDF7Igf/HdAY=;
Received: from [193.149.48.134] (helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1uwnjX-0003Qn-2w for openvpn-devel@lists.sourceforge.net;
 Thu, 11 Sep 2025 20:17:32 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 58BKHJuO025800
 for <openvpn-devel@lists.sourceforge.net>; Thu, 11 Sep 2025 22:17:19 +0200
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 58BKHJWT025799
 for openvpn-devel@lists.sourceforge.net; Thu, 11 Sep 2025 22:17:19 +0200
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Thu, 11 Sep 2025 22:17:13 +0200
Message-ID: <20250911201719.25773-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.49.1
In-Reply-To: 
 <gerrit.1754490554000.Ic88cd6e143bc48cab3c9ebb7c7007513803bd199@gerrit.openvpn.net>
References: 
 <gerrit.1754490554000.Ic88cd6e143bc48cab3c9ebb7c7007513803bd199@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-1.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Frank Lichtenheld <frank@lichtenheld.com> Basically
 all users already wanted that anyway. And most of the library functions also
 take size_t nowadays. Change-Id: Ic88cd6e143bc48cab3c9ebb7c7007513803bd199
 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: MaxF
 <max@max-fillinger.net> ---
 Content analysis details:   (1.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1uwnjX-0003Qn-2w
Subject: [Openvpn-devel] [PATCH v8] openvpn_PRF: Change API to use size_t
 for lenghts
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1843000094877945586?=
X-GMAIL-MSGID: =?utf-8?q?1843000094877945586?=

From: Frank Lichtenheld <frank@lichtenheld.com>

Basically all users already wanted that anyway. And most
of the library functions also take size_t nowadays.

Change-Id: Ic88cd6e143bc48cab3c9ebb7c7007513803bd199
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: MaxF <max@max-fillinger.net>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1135
This mail reflects revision 8 of this Change.

Acked-by according to Gerrit (reflected above):
MaxF <max@max-fillinger.net>

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index a63e543..4c0f684 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1903,8 +1903,8 @@
     uint8_t out[8];
     uint8_t expected_out[] = { 'q', 'D', 0xfe, '%', '@', 's', 'u', 0x95 };
 
-    int ret = ssl_tls1_PRF((uint8_t *)seed, (int)strlen(seed), (uint8_t *)secret,
-                           (int)strlen(secret), out, sizeof(out));
+    int ret = ssl_tls1_PRF((uint8_t *)seed, strlen(seed), (uint8_t *)secret,
+                           strlen(secret), out, sizeof(out));
 
     return (ret && memcmp(out, expected_out, sizeof(out)) == 0);
 }
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 59418f6..b74cb7f 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -716,7 +716,7 @@
  *
  * @return              true if successful, false on any error
  */
-bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
-                  uint8_t *output, int output_len);
+bool ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len,
+                  uint8_t *output, size_t output_len);
 
 #endif /* CRYPTO_BACKEND_H_ */
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 86317dd..2423435 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -983,8 +983,8 @@
  * from recent versions, so we use our own implementation if necessary. */
 #if defined(HAVE_MBEDTLS_SSL_TLS_PRF) && defined(MBEDTLS_SSL_TLS_PRF_TLS1)
 bool
-ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
-             uint8_t *output, int output_len)
+ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len,
+             uint8_t *output, size_t output_len)
 {
     return mbed_ok(mbedtls_ssl_tls_prf(MBEDTLS_SSL_TLS_PRF_TLS1, secret, secret_len, "", seed,
                                        seed_len, output, output_len));
@@ -1002,8 +1002,8 @@
  * @param olen          Length of the output buffer
  */
 static void
-tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, int sec_len, const uint8_t *seed,
-            int seed_len, uint8_t *out, int olen)
+tls1_P_hash(const mbedtls_md_info_t *md_kt, const uint8_t *sec, size_t sec_len, const uint8_t *seed,
+            size_t seed_len, uint8_t *out, size_t olen)
 {
     struct gc_arena gc = gc_new();
     uint8_t A1[MAX_HMAC_KEY_LENGTH];
@@ -1011,7 +1011,7 @@
 #ifdef ENABLE_DEBUG
     /* used by the D_SHOW_KEY_SOURCE, guarded with ENABLE_DEBUG to avoid unused
      * variables warnings if compiled with --enable-small */
-    const int olen_orig = olen;
+    const size_t olen_orig = olen;
     const uint8_t *out_orig = out;
 #endif
 
@@ -1021,7 +1021,7 @@
     dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc));
     dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc));
 
-    int chunk = mbedtls_md_get_size(md_kt);
+    unsigned int chunk = mbedtls_md_get_size(md_kt);
     unsigned int A1_len = mbedtls_md_get_size(md_kt);
 
     /* This is the only place where we init an HMAC with a key that is not
@@ -1089,8 +1089,8 @@
  * (2) The pre-master secret is generated by the client.
  */
 bool
-ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1,
-             int olen)
+ssl_tls1_PRF(const uint8_t *label, size_t label_len, const uint8_t *sec, size_t slen, uint8_t *out1,
+             size_t olen)
 {
     struct gc_arena gc = gc_new();
     const md_kt_t *md5 = md_get("MD5");
@@ -1098,7 +1098,7 @@
 
     uint8_t *out2 = (uint8_t *)gc_malloc(olen, false, &gc);
 
-    int len = slen / 2;
+    size_t len = slen / 2;
     const uint8_t *S1 = sec;
     const uint8_t *S2 = &(sec[len]);
     len += (slen & 1); /* add for odd, make longer */
@@ -1106,14 +1106,14 @@
     tls1_P_hash(md5, S1, len, label, label_len, out1, olen);
     tls1_P_hash(sha1, S2, len, label, label_len, out2, olen);
 
-    for (int i = 0; i < olen; i++)
+    for (size_t i = 0; i < olen; i++)
     {
         out1[i] ^= out2[i];
     }
 
     secure_memzero(out2, olen);
 
-    dmsg(D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex(out1, olen, 0, &gc));
+    dmsg(D_SHOW_KEY_SOURCE, "tls1_PRF out[%zu]: %s", olen, format_hex(out1, olen, 0, &gc));
 
     gc_free(&gc);
     return true;
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 2351bfd..75af4f5 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -1341,8 +1341,8 @@
 }
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) && !defined(LIBRESSL_VERSION_NUMBER)
 bool
-ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
-             uint8_t *output, int output_len)
+ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len,
+             uint8_t *output, size_t output_len)
 {
     bool ret = true;
     EVP_KDF_CTX *kctx = NULL;
@@ -1368,9 +1368,9 @@
     params[0] =
         OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, SN_md5_sha1, strlen(SN_md5_sha1));
     params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, (uint8_t *)secret,
-                                                  (size_t)secret_len);
+                                                  secret_len);
     params[2] =
-        OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, (uint8_t *)seed, (size_t)seed_len);
+        OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, (uint8_t *)seed, seed_len);
     params[3] = OSSL_PARAM_construct_end();
 
     if (EVP_KDF_derive(kctx, output, output_len, params) <= 0)
@@ -1392,15 +1392,15 @@
 }
 #elif defined(OPENSSL_IS_AWSLC)
 bool
-ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1,
-             int olen)
+ssl_tls1_PRF(const uint8_t *label, size_t label_len, const uint8_t *sec, size_t slen, uint8_t *out1,
+             size_t olen)
 {
     CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0);
 }
 #elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL)
 bool
-ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len,
-             uint8_t *output, int output_len)
+ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len,
+             uint8_t *output, size_t output_len)
 {
     EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
     if (!pctx)
@@ -1448,8 +1448,8 @@
  * OpenSSL does. As result they will only be able to support
  * peers that support TLS EKM like when running with OpenSSL 3.x FIPS */
 bool
-ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1,
-             int olen)
+ssl_tls1_PRF(const uint8_t *label, size_t label_len, const uint8_t *sec, size_t slen, uint8_t *out1,
+             size_t olen)
 {
     return false;
 }
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 85b018b..284d951 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1294,10 +1294,10 @@
 }
 
 static bool
-openvpn_PRF(const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed,
-            int client_seed_len, const uint8_t *server_seed, int server_seed_len,
+openvpn_PRF(const uint8_t *secret, size_t secret_len, const char *label, const uint8_t *client_seed,
+            size_t client_seed_len, const uint8_t *server_seed, size_t server_seed_len,
             const struct session_id *client_sid, const struct session_id *server_sid,
-            uint8_t *output, int output_len)
+            uint8_t *output, size_t output_len)
 {
     /* concatenate seed components */
 
diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c
index 12ddaba..5df1046 100644
--- a/tests/unit_tests/openvpn/test_crypto.c
+++ b/tests/unit_tests/openvpn/test_crypto.c
@@ -161,7 +161,7 @@
 
 
     uint8_t out[32];
-    bool ret = ssl_tls1_PRF(seed, (int)seed_len, secret, (int)secret_len, out, sizeof(out));
+    bool ret = ssl_tls1_PRF(seed, seed_len, secret, secret_len, out, sizeof(out));
 
 #if defined(LIBRESSL_VERSION_NUMBER) || defined(ENABLE_CRYPTO_WOLFSSL)
     /* No TLS1 PRF support in these libraries */