158 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 159 "for Certificate (cert_len=%lu left=%lu)", 160 (unsigned long) cert->cert_len, 161 (unsigned long) (end - pos)); 162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 163 TLS_ALERT_INTERNAL_ERROR); 164 return -1; 165 } 166 WPA_PUT_BE24(pos, cert->cert_len); 167 pos += 3; 168 os_memcpy(pos, cert->cert_start, cert->cert_len); 169 pos += cert->cert_len; 170 171 if (x509_certificate_self_signed(cert)) 172 break; 173 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 174 &cert->issuer); 175 } 176 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 177 /* 178 * Client was not configured with all the needed certificates 179 * to form a full certificate chain. The server may fail to 180 * validate the chain unless it is configured with all the 181 * missing CA certificates. 182 */ 183 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 184 "not configured - validation may fail"); 185 } 186 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 187 188 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 189 190 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 191 rhdr, end - rhdr, hs_start, pos - hs_start, 192 &rlen) < 0) { 193 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 194 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 195 TLS_ALERT_INTERNAL_ERROR); 196 return -1; 197 } 198 pos = rhdr + rlen; 199 200 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 201 202 *msgpos = pos; 203 204 return 0; 205} 206 207 208static int tlsv1_key_x_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 209{ 210 /* ClientDiffieHellmanPublic */ 211 u8 *csecret, *csecret_start, *dh_yc, *shared; 212 size_t csecret_len, dh_yc_len, shared_len; 213 214 csecret_len = conn->dh_p_len; 215 csecret = os_malloc(csecret_len); 216 if (csecret == NULL) { 217 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 218 "memory for Yc (Diffie-Hellman)"); 219 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 220 TLS_ALERT_INTERNAL_ERROR); 221 return -1; 222 } 223 if (random_get_bytes(csecret, csecret_len)) { 224 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 225 "data for Diffie-Hellman"); 226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 227 TLS_ALERT_INTERNAL_ERROR); 228 os_free(csecret); 229 return -1; 230 } 231 232 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 233 csecret[0] = 0; /* make sure Yc < p */ 234 235 csecret_start = csecret; 236 while (csecret_len > 1 && *csecret_start == 0) { 237 csecret_start++; 238 csecret_len--; 239 } 240 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 241 csecret_start, csecret_len); 242 243 /* Yc = g^csecret mod p */ 244 dh_yc_len = conn->dh_p_len; 245 dh_yc = os_malloc(dh_yc_len); 246 if (dh_yc == NULL) { 247 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 248 "memory for Diffie-Hellman"); 249 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 250 TLS_ALERT_INTERNAL_ERROR); 251 os_free(csecret); 252 return -1; 253 } 254 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 255 csecret_start, csecret_len, 256 conn->dh_p, conn->dh_p_len, 257 dh_yc, &dh_yc_len)) { 258 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 259 TLS_ALERT_INTERNAL_ERROR); 260 os_free(csecret); 261 os_free(dh_yc); 262 return -1; 263 } 264 265 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 266 dh_yc, dh_yc_len); 267
| 295 wpa_printf(MSG_DEBUG, "TLSv1: Not enough buffer space " 296 "for Certificate (cert_len=%lu left=%lu)", 297 (unsigned long) cert->cert_len, 298 (unsigned long) (end - pos)); 299 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 300 TLS_ALERT_INTERNAL_ERROR); 301 return -1; 302 } 303 WPA_PUT_BE24(pos, cert->cert_len); 304 pos += 3; 305 os_memcpy(pos, cert->cert_start, cert->cert_len); 306 pos += cert->cert_len; 307 308 if (x509_certificate_self_signed(cert)) 309 break; 310 cert = x509_certificate_get_subject(conn->cred->trusted_certs, 311 &cert->issuer); 312 } 313 if (conn->cred == NULL || cert == conn->cred->cert || cert == NULL) { 314 /* 315 * Client was not configured with all the needed certificates 316 * to form a full certificate chain. The server may fail to 317 * validate the chain unless it is configured with all the 318 * missing CA certificates. 319 */ 320 wpa_printf(MSG_DEBUG, "TLSv1: Full client certificate chain " 321 "not configured - validation may fail"); 322 } 323 WPA_PUT_BE24(cert_start, pos - cert_start - 3); 324 325 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 326 327 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 328 rhdr, end - rhdr, hs_start, pos - hs_start, 329 &rlen) < 0) { 330 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 331 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 332 TLS_ALERT_INTERNAL_ERROR); 333 return -1; 334 } 335 pos = rhdr + rlen; 336 337 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 338 339 *msgpos = pos; 340 341 return 0; 342} 343 344 345static int tlsv1_key_x_dh(struct tlsv1_client *conn, u8 **pos, u8 *end) 346{ 347 /* ClientDiffieHellmanPublic */ 348 u8 *csecret, *csecret_start, *dh_yc, *shared; 349 size_t csecret_len, dh_yc_len, shared_len; 350 351 csecret_len = conn->dh_p_len; 352 csecret = os_malloc(csecret_len); 353 if (csecret == NULL) { 354 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 355 "memory for Yc (Diffie-Hellman)"); 356 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 357 TLS_ALERT_INTERNAL_ERROR); 358 return -1; 359 } 360 if (random_get_bytes(csecret, csecret_len)) { 361 wpa_printf(MSG_DEBUG, "TLSv1: Failed to get random " 362 "data for Diffie-Hellman"); 363 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 364 TLS_ALERT_INTERNAL_ERROR); 365 os_free(csecret); 366 return -1; 367 } 368 369 if (os_memcmp(csecret, conn->dh_p, csecret_len) > 0) 370 csecret[0] = 0; /* make sure Yc < p */ 371 372 csecret_start = csecret; 373 while (csecret_len > 1 && *csecret_start == 0) { 374 csecret_start++; 375 csecret_len--; 376 } 377 wpa_hexdump_key(MSG_DEBUG, "TLSv1: DH client's secret value", 378 csecret_start, csecret_len); 379 380 /* Yc = g^csecret mod p */ 381 dh_yc_len = conn->dh_p_len; 382 dh_yc = os_malloc(dh_yc_len); 383 if (dh_yc == NULL) { 384 wpa_printf(MSG_DEBUG, "TLSv1: Failed to allocate " 385 "memory for Diffie-Hellman"); 386 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 387 TLS_ALERT_INTERNAL_ERROR); 388 os_free(csecret); 389 return -1; 390 } 391 if (crypto_mod_exp(conn->dh_g, conn->dh_g_len, 392 csecret_start, csecret_len, 393 conn->dh_p, conn->dh_p_len, 394 dh_yc, &dh_yc_len)) { 395 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 396 TLS_ALERT_INTERNAL_ERROR); 397 os_free(csecret); 398 os_free(dh_yc); 399 return -1; 400 } 401 402 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Yc (client's public value)", 403 dh_yc, dh_yc_len); 404
|
271 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 272 "message buffer for Yc"); 273 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 274 TLS_ALERT_INTERNAL_ERROR); 275 os_free(csecret); 276 os_free(dh_yc); 277 return -1; 278 } 279 os_memcpy(*pos, dh_yc, dh_yc_len); 280 *pos += dh_yc_len; 281 os_free(dh_yc); 282 283 shared_len = conn->dh_p_len; 284 shared = os_malloc(shared_len); 285 if (shared == NULL) { 286 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 287 "DH"); 288 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 289 TLS_ALERT_INTERNAL_ERROR); 290 os_free(csecret); 291 return -1; 292 } 293 294 /* shared = Ys^csecret mod p */ 295 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 296 csecret_start, csecret_len, 297 conn->dh_p, conn->dh_p_len, 298 shared, &shared_len)) { 299 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 300 TLS_ALERT_INTERNAL_ERROR); 301 os_free(csecret); 302 os_free(shared); 303 return -1; 304 } 305 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 306 shared, shared_len); 307 308 os_memset(csecret_start, 0, csecret_len); 309 os_free(csecret); 310 if (tls_derive_keys(conn, shared, shared_len)) { 311 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 312 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 313 TLS_ALERT_INTERNAL_ERROR); 314 os_free(shared); 315 return -1; 316 } 317 os_memset(shared, 0, shared_len); 318 os_free(shared); 319 tlsv1_client_free_dh(conn); 320 return 0; 321} 322 323 324static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 325{ 326 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 327 size_t clen; 328 int res; 329 330 if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 331 tls_derive_keys(conn, pre_master_secret, 332 TLS_PRE_MASTER_SECRET_LEN)) { 333 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 334 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 335 TLS_ALERT_INTERNAL_ERROR); 336 return -1; 337 } 338 339 /* EncryptedPreMasterSecret */ 340 if (conn->server_rsa_key == NULL) { 341 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 342 "use for encrypting pre-master secret"); 343 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 344 TLS_ALERT_INTERNAL_ERROR); 345 return -1; 346 } 347 348 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 349 *pos += 2; 350 clen = end - *pos; 351 res = crypto_public_key_encrypt_pkcs1_v15( 352 conn->server_rsa_key, 353 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 354 *pos, &clen); 355 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 356 if (res < 0) { 357 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 358 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 359 TLS_ALERT_INTERNAL_ERROR); 360 return -1; 361 } 362 WPA_PUT_BE16(*pos - 2, clen); 363 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 364 *pos, clen); 365 *pos += clen; 366 367 return 0; 368} 369 370 371static int tls_write_client_key_exchange(struct tlsv1_client *conn, 372 u8 **msgpos, u8 *end) 373{ 374 u8 *pos, *rhdr, *hs_start, *hs_length; 375 size_t rlen; 376 tls_key_exchange keyx; 377 const struct tls_cipher_suite *suite; 378 379 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 380 if (suite == NULL) 381 keyx = TLS_KEY_X_NULL; 382 else 383 keyx = suite->key_exchange; 384 385 pos = *msgpos; 386 387 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 388 389 rhdr = pos; 390 pos += TLS_RECORD_HEADER_LEN; 391 392 /* opaque fragment[TLSPlaintext.length] */ 393 394 /* Handshake */ 395 hs_start = pos; 396 /* HandshakeType msg_type */ 397 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 398 /* uint24 length (to be filled) */ 399 hs_length = pos; 400 pos += 3; 401 /* body - ClientKeyExchange */ 402 if (keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) { 403 if (tlsv1_key_x_dh(conn, &pos, end) < 0) 404 return -1; 405 } else { 406 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 407 return -1; 408 } 409 410 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 411 412 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 413 rhdr, end - rhdr, hs_start, pos - hs_start, 414 &rlen) < 0) { 415 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 416 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 417 TLS_ALERT_INTERNAL_ERROR); 418 return -1; 419 } 420 pos = rhdr + rlen; 421 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 422 423 *msgpos = pos; 424 425 return 0; 426} 427 428 429static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 430 u8 **msgpos, u8 *end) 431{ 432 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 433 size_t rlen, hlen, clen; 434 u8 hash[100], *hpos; 435 436 pos = *msgpos; 437 438 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 439 rhdr = pos; 440 pos += TLS_RECORD_HEADER_LEN; 441 442 /* Handshake */ 443 hs_start = pos; 444 /* HandshakeType msg_type */ 445 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 446 /* uint24 length (to be filled) */ 447 hs_length = pos; 448 pos += 3; 449 450 /* 451 * RFC 2246: 7.4.3 and 7.4.8: 452 * Signature signature 453 * 454 * RSA: 455 * digitally-signed struct { 456 * opaque md5_hash[16]; 457 * opaque sha_hash[20]; 458 * }; 459 * 460 * DSA: 461 * digitally-signed struct { 462 * opaque sha_hash[20]; 463 * }; 464 * 465 * The hash values are calculated over all handshake messages sent or 466 * received starting at ClientHello up to, but not including, this 467 * CertificateVerify message, including the type and length fields of 468 * the handshake messages. 469 */ 470 471 hpos = hash; 472 473#ifdef CONFIG_TLSV12 474 if (conn->rl.tls_version == TLS_VERSION_1_2) { 475 hlen = SHA256_MAC_LEN; 476 if (conn->verify.sha256_cert == NULL || 477 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 478 0) { 479 conn->verify.sha256_cert = NULL; 480 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 481 TLS_ALERT_INTERNAL_ERROR); 482 return -1; 483 } 484 conn->verify.sha256_cert = NULL; 485 486 /* 487 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 488 * 489 * DigestInfo ::= SEQUENCE { 490 * digestAlgorithm DigestAlgorithm, 491 * digest OCTET STRING 492 * } 493 * 494 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 495 * 496 * DER encoded DigestInfo for SHA256 per RFC 3447: 497 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 498 * H 499 */ 500 os_memmove(hash + 19, hash, hlen); 501 hlen += 19; 502 os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65" 503 "\x03\x04\x02\x01\x05\x00\x04\x20", 19); 504 } else { 505#endif /* CONFIG_TLSV12 */ 506 507 hlen = MD5_MAC_LEN; 508 if (conn->verify.md5_cert == NULL || 509 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 510 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 511 TLS_ALERT_INTERNAL_ERROR); 512 conn->verify.md5_cert = NULL; 513 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 514 conn->verify.sha1_cert = NULL; 515 return -1; 516 } 517 hpos += MD5_MAC_LEN; 518 519 conn->verify.md5_cert = NULL; 520 hlen = SHA1_MAC_LEN; 521 if (conn->verify.sha1_cert == NULL || 522 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 523 conn->verify.sha1_cert = NULL; 524 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 525 TLS_ALERT_INTERNAL_ERROR); 526 return -1; 527 } 528 conn->verify.sha1_cert = NULL; 529 530 hlen += MD5_MAC_LEN; 531 532#ifdef CONFIG_TLSV12 533 } 534#endif /* CONFIG_TLSV12 */ 535 536 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 537 538#ifdef CONFIG_TLSV12 539 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 540 /* 541 * RFC 5246, 4.7: 542 * TLS v1.2 adds explicit indication of the used signature and 543 * hash algorithms. 544 * 545 * struct { 546 * HashAlgorithm hash; 547 * SignatureAlgorithm signature; 548 * } SignatureAndHashAlgorithm; 549 */ 550 *pos++ = TLS_HASH_ALG_SHA256; 551 *pos++ = TLS_SIGN_ALG_RSA; 552 } 553#endif /* CONFIG_TLSV12 */ 554 555 /* 556 * RFC 2246, 4.7: 557 * In digital signing, one-way hash functions are used as input for a 558 * signing algorithm. A digitally-signed element is encoded as an 559 * opaque vector <0..2^16-1>, where the length is specified by the 560 * signing algorithm and key. 561 * 562 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 563 * MD5) is signed (encrypted with the private key). It is encoded with 564 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 565 */ 566 signed_start = pos; /* length to be filled */ 567 pos += 2; 568 clen = end - pos; 569 if (conn->cred == NULL || 570 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 571 pos, &clen) < 0) { 572 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 573 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 574 TLS_ALERT_INTERNAL_ERROR); 575 return -1; 576 } 577 WPA_PUT_BE16(signed_start, clen); 578 579 pos += clen; 580 581 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 582 583 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 584 rhdr, end - rhdr, hs_start, pos - hs_start, 585 &rlen) < 0) { 586 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 587 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 588 TLS_ALERT_INTERNAL_ERROR); 589 return -1; 590 } 591 pos = rhdr + rlen; 592 593 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 594 595 *msgpos = pos; 596 597 return 0; 598} 599 600 601static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 602 u8 **msgpos, u8 *end) 603{ 604 size_t rlen; 605 u8 payload[1]; 606 607 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 608 609 payload[0] = TLS_CHANGE_CIPHER_SPEC; 610 611 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 612 *msgpos, end - *msgpos, payload, sizeof(payload), 613 &rlen) < 0) { 614 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 615 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 616 TLS_ALERT_INTERNAL_ERROR); 617 return -1; 618 } 619 620 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 621 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 622 "record layer"); 623 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 624 TLS_ALERT_INTERNAL_ERROR); 625 return -1; 626 } 627 628 *msgpos += rlen; 629 630 return 0; 631} 632 633 634static int tls_write_client_finished(struct tlsv1_client *conn, 635 u8 **msgpos, u8 *end) 636{ 637 u8 *pos, *hs_start; 638 size_t rlen, hlen; 639 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 640 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 641 642 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 643 644 /* Encrypted Handshake Message: Finished */ 645 646#ifdef CONFIG_TLSV12 647 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 648 hlen = SHA256_MAC_LEN; 649 if (conn->verify.sha256_client == NULL || 650 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 651 < 0) { 652 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 653 TLS_ALERT_INTERNAL_ERROR); 654 conn->verify.sha256_client = NULL; 655 return -1; 656 } 657 conn->verify.sha256_client = NULL; 658 } else { 659#endif /* CONFIG_TLSV12 */ 660 661 hlen = MD5_MAC_LEN; 662 if (conn->verify.md5_client == NULL || 663 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 664 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 665 TLS_ALERT_INTERNAL_ERROR); 666 conn->verify.md5_client = NULL; 667 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 668 conn->verify.sha1_client = NULL; 669 return -1; 670 } 671 conn->verify.md5_client = NULL; 672 hlen = SHA1_MAC_LEN; 673 if (conn->verify.sha1_client == NULL || 674 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 675 &hlen) < 0) { 676 conn->verify.sha1_client = NULL; 677 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 678 TLS_ALERT_INTERNAL_ERROR); 679 return -1; 680 } 681 conn->verify.sha1_client = NULL; 682 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 683 684#ifdef CONFIG_TLSV12 685 } 686#endif /* CONFIG_TLSV12 */ 687 688 if (tls_prf(conn->rl.tls_version, 689 conn->master_secret, TLS_MASTER_SECRET_LEN, 690 "client finished", hash, hlen, 691 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 692 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 693 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 694 TLS_ALERT_INTERNAL_ERROR); 695 return -1; 696 } 697 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 698 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 699 700 /* Handshake */ 701 pos = hs_start = verify_data; 702 /* HandshakeType msg_type */ 703 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 704 /* uint24 length */ 705 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 706 pos += 3; 707 pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */ 708 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 709 710 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 711 *msgpos, end - *msgpos, hs_start, pos - hs_start, 712 &rlen) < 0) { 713 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 714 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 715 TLS_ALERT_INTERNAL_ERROR); 716 return -1; 717 } 718 719 *msgpos += rlen; 720 721 return 0; 722} 723 724 725static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 726 size_t *out_len) 727{ 728 u8 *msg, *end, *pos; 729 size_t msglen; 730 731 *out_len = 0; 732 733 msglen = 2000; 734 if (conn->certificate_requested) 735 msglen += tls_client_cert_chain_der_len(conn); 736 737 msg = os_malloc(msglen); 738 if (msg == NULL) 739 return NULL; 740 741 pos = msg; 742 end = msg + msglen; 743 744 if (conn->certificate_requested) { 745 if (tls_write_client_certificate(conn, &pos, end) < 0) { 746 os_free(msg); 747 return NULL; 748 } 749 } 750 751 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 752 (conn->certificate_requested && conn->cred && conn->cred->key && 753 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 754 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 755 tls_write_client_finished(conn, &pos, end) < 0) { 756 os_free(msg); 757 return NULL; 758 } 759 760 *out_len = pos - msg; 761 762 conn->state = SERVER_CHANGE_CIPHER_SPEC; 763 764 return msg; 765} 766 767 768static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 769 size_t *out_len) 770{ 771 u8 *msg, *end, *pos; 772 773 *out_len = 0; 774 775 msg = os_malloc(1000); 776 if (msg == NULL) 777 return NULL; 778 779 pos = msg; 780 end = msg + 1000; 781 782 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 783 tls_write_client_finished(conn, &pos, end) < 0) { 784 os_free(msg); 785 return NULL; 786 } 787 788 *out_len = pos - msg; 789 790 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 791 "successfully");
| 415 wpa_printf(MSG_DEBUG, "TLSv1: Not enough room in the " 416 "message buffer for Yc"); 417 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 418 TLS_ALERT_INTERNAL_ERROR); 419 os_free(csecret); 420 os_free(dh_yc); 421 return -1; 422 } 423 os_memcpy(*pos, dh_yc, dh_yc_len); 424 *pos += dh_yc_len; 425 os_free(dh_yc); 426 427 shared_len = conn->dh_p_len; 428 shared = os_malloc(shared_len); 429 if (shared == NULL) { 430 wpa_printf(MSG_DEBUG, "TLSv1: Could not allocate memory for " 431 "DH"); 432 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 433 TLS_ALERT_INTERNAL_ERROR); 434 os_free(csecret); 435 return -1; 436 } 437 438 /* shared = Ys^csecret mod p */ 439 if (crypto_mod_exp(conn->dh_ys, conn->dh_ys_len, 440 csecret_start, csecret_len, 441 conn->dh_p, conn->dh_p_len, 442 shared, &shared_len)) { 443 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 444 TLS_ALERT_INTERNAL_ERROR); 445 os_free(csecret); 446 os_free(shared); 447 return -1; 448 } 449 wpa_hexdump_key(MSG_DEBUG, "TLSv1: Shared secret from DH key exchange", 450 shared, shared_len); 451 452 os_memset(csecret_start, 0, csecret_len); 453 os_free(csecret); 454 if (tls_derive_keys(conn, shared, shared_len)) { 455 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 456 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 457 TLS_ALERT_INTERNAL_ERROR); 458 os_free(shared); 459 return -1; 460 } 461 os_memset(shared, 0, shared_len); 462 os_free(shared); 463 tlsv1_client_free_dh(conn); 464 return 0; 465} 466 467 468static int tlsv1_key_x_rsa(struct tlsv1_client *conn, u8 **pos, u8 *end) 469{ 470 u8 pre_master_secret[TLS_PRE_MASTER_SECRET_LEN]; 471 size_t clen; 472 int res; 473 474 if (tls_derive_pre_master_secret(pre_master_secret) < 0 || 475 tls_derive_keys(conn, pre_master_secret, 476 TLS_PRE_MASTER_SECRET_LEN)) { 477 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 478 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 479 TLS_ALERT_INTERNAL_ERROR); 480 return -1; 481 } 482 483 /* EncryptedPreMasterSecret */ 484 if (conn->server_rsa_key == NULL) { 485 wpa_printf(MSG_DEBUG, "TLSv1: No server RSA key to " 486 "use for encrypting pre-master secret"); 487 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 488 TLS_ALERT_INTERNAL_ERROR); 489 return -1; 490 } 491 492 /* RSA encrypted value is encoded with PKCS #1 v1.5 block type 2. */ 493 *pos += 2; 494 clen = end - *pos; 495 res = crypto_public_key_encrypt_pkcs1_v15( 496 conn->server_rsa_key, 497 pre_master_secret, TLS_PRE_MASTER_SECRET_LEN, 498 *pos, &clen); 499 os_memset(pre_master_secret, 0, TLS_PRE_MASTER_SECRET_LEN); 500 if (res < 0) { 501 wpa_printf(MSG_DEBUG, "TLSv1: RSA encryption failed"); 502 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 503 TLS_ALERT_INTERNAL_ERROR); 504 return -1; 505 } 506 WPA_PUT_BE16(*pos - 2, clen); 507 wpa_hexdump(MSG_MSGDUMP, "TLSv1: Encrypted pre_master_secret", 508 *pos, clen); 509 *pos += clen; 510 511 return 0; 512} 513 514 515static int tls_write_client_key_exchange(struct tlsv1_client *conn, 516 u8 **msgpos, u8 *end) 517{ 518 u8 *pos, *rhdr, *hs_start, *hs_length; 519 size_t rlen; 520 tls_key_exchange keyx; 521 const struct tls_cipher_suite *suite; 522 523 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 524 if (suite == NULL) 525 keyx = TLS_KEY_X_NULL; 526 else 527 keyx = suite->key_exchange; 528 529 pos = *msgpos; 530 531 wpa_printf(MSG_DEBUG, "TLSv1: Send ClientKeyExchange"); 532 533 rhdr = pos; 534 pos += TLS_RECORD_HEADER_LEN; 535 536 /* opaque fragment[TLSPlaintext.length] */ 537 538 /* Handshake */ 539 hs_start = pos; 540 /* HandshakeType msg_type */ 541 *pos++ = TLS_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE; 542 /* uint24 length (to be filled) */ 543 hs_length = pos; 544 pos += 3; 545 /* body - ClientKeyExchange */ 546 if (keyx == TLS_KEY_X_DH_anon || keyx == TLS_KEY_X_DHE_RSA) { 547 if (tlsv1_key_x_dh(conn, &pos, end) < 0) 548 return -1; 549 } else { 550 if (tlsv1_key_x_rsa(conn, &pos, end) < 0) 551 return -1; 552 } 553 554 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 555 556 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 557 rhdr, end - rhdr, hs_start, pos - hs_start, 558 &rlen) < 0) { 559 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 560 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 561 TLS_ALERT_INTERNAL_ERROR); 562 return -1; 563 } 564 pos = rhdr + rlen; 565 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 566 567 *msgpos = pos; 568 569 return 0; 570} 571 572 573static int tls_write_client_certificate_verify(struct tlsv1_client *conn, 574 u8 **msgpos, u8 *end) 575{ 576 u8 *pos, *rhdr, *hs_start, *hs_length, *signed_start; 577 size_t rlen, hlen, clen; 578 u8 hash[100], *hpos; 579 580 pos = *msgpos; 581 582 wpa_printf(MSG_DEBUG, "TLSv1: Send CertificateVerify"); 583 rhdr = pos; 584 pos += TLS_RECORD_HEADER_LEN; 585 586 /* Handshake */ 587 hs_start = pos; 588 /* HandshakeType msg_type */ 589 *pos++ = TLS_HANDSHAKE_TYPE_CERTIFICATE_VERIFY; 590 /* uint24 length (to be filled) */ 591 hs_length = pos; 592 pos += 3; 593 594 /* 595 * RFC 2246: 7.4.3 and 7.4.8: 596 * Signature signature 597 * 598 * RSA: 599 * digitally-signed struct { 600 * opaque md5_hash[16]; 601 * opaque sha_hash[20]; 602 * }; 603 * 604 * DSA: 605 * digitally-signed struct { 606 * opaque sha_hash[20]; 607 * }; 608 * 609 * The hash values are calculated over all handshake messages sent or 610 * received starting at ClientHello up to, but not including, this 611 * CertificateVerify message, including the type and length fields of 612 * the handshake messages. 613 */ 614 615 hpos = hash; 616 617#ifdef CONFIG_TLSV12 618 if (conn->rl.tls_version == TLS_VERSION_1_2) { 619 hlen = SHA256_MAC_LEN; 620 if (conn->verify.sha256_cert == NULL || 621 crypto_hash_finish(conn->verify.sha256_cert, hpos, &hlen) < 622 0) { 623 conn->verify.sha256_cert = NULL; 624 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 625 TLS_ALERT_INTERNAL_ERROR); 626 return -1; 627 } 628 conn->verify.sha256_cert = NULL; 629 630 /* 631 * RFC 3447, A.2.4 RSASSA-PKCS1-v1_5 632 * 633 * DigestInfo ::= SEQUENCE { 634 * digestAlgorithm DigestAlgorithm, 635 * digest OCTET STRING 636 * } 637 * 638 * SHA-256 OID: sha256WithRSAEncryption ::= {pkcs-1 11} 639 * 640 * DER encoded DigestInfo for SHA256 per RFC 3447: 641 * 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || 642 * H 643 */ 644 os_memmove(hash + 19, hash, hlen); 645 hlen += 19; 646 os_memcpy(hash, "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65" 647 "\x03\x04\x02\x01\x05\x00\x04\x20", 19); 648 } else { 649#endif /* CONFIG_TLSV12 */ 650 651 hlen = MD5_MAC_LEN; 652 if (conn->verify.md5_cert == NULL || 653 crypto_hash_finish(conn->verify.md5_cert, hpos, &hlen) < 0) { 654 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 655 TLS_ALERT_INTERNAL_ERROR); 656 conn->verify.md5_cert = NULL; 657 crypto_hash_finish(conn->verify.sha1_cert, NULL, NULL); 658 conn->verify.sha1_cert = NULL; 659 return -1; 660 } 661 hpos += MD5_MAC_LEN; 662 663 conn->verify.md5_cert = NULL; 664 hlen = SHA1_MAC_LEN; 665 if (conn->verify.sha1_cert == NULL || 666 crypto_hash_finish(conn->verify.sha1_cert, hpos, &hlen) < 0) { 667 conn->verify.sha1_cert = NULL; 668 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 669 TLS_ALERT_INTERNAL_ERROR); 670 return -1; 671 } 672 conn->verify.sha1_cert = NULL; 673 674 hlen += MD5_MAC_LEN; 675 676#ifdef CONFIG_TLSV12 677 } 678#endif /* CONFIG_TLSV12 */ 679 680 wpa_hexdump(MSG_MSGDUMP, "TLSv1: CertificateVerify hash", hash, hlen); 681 682#ifdef CONFIG_TLSV12 683 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 684 /* 685 * RFC 5246, 4.7: 686 * TLS v1.2 adds explicit indication of the used signature and 687 * hash algorithms. 688 * 689 * struct { 690 * HashAlgorithm hash; 691 * SignatureAlgorithm signature; 692 * } SignatureAndHashAlgorithm; 693 */ 694 *pos++ = TLS_HASH_ALG_SHA256; 695 *pos++ = TLS_SIGN_ALG_RSA; 696 } 697#endif /* CONFIG_TLSV12 */ 698 699 /* 700 * RFC 2246, 4.7: 701 * In digital signing, one-way hash functions are used as input for a 702 * signing algorithm. A digitally-signed element is encoded as an 703 * opaque vector <0..2^16-1>, where the length is specified by the 704 * signing algorithm and key. 705 * 706 * In RSA signing, a 36-byte structure of two hashes (one SHA and one 707 * MD5) is signed (encrypted with the private key). It is encoded with 708 * PKCS #1 block type 0 or type 1 as described in [PKCS1]. 709 */ 710 signed_start = pos; /* length to be filled */ 711 pos += 2; 712 clen = end - pos; 713 if (conn->cred == NULL || 714 crypto_private_key_sign_pkcs1(conn->cred->key, hash, hlen, 715 pos, &clen) < 0) { 716 wpa_printf(MSG_DEBUG, "TLSv1: Failed to sign hash (PKCS #1)"); 717 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 718 TLS_ALERT_INTERNAL_ERROR); 719 return -1; 720 } 721 WPA_PUT_BE16(signed_start, clen); 722 723 pos += clen; 724 725 WPA_PUT_BE24(hs_length, pos - hs_length - 3); 726 727 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 728 rhdr, end - rhdr, hs_start, pos - hs_start, 729 &rlen) < 0) { 730 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate a record"); 731 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 732 TLS_ALERT_INTERNAL_ERROR); 733 return -1; 734 } 735 pos = rhdr + rlen; 736 737 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 738 739 *msgpos = pos; 740 741 return 0; 742} 743 744 745static int tls_write_client_change_cipher_spec(struct tlsv1_client *conn, 746 u8 **msgpos, u8 *end) 747{ 748 size_t rlen; 749 u8 payload[1]; 750 751 wpa_printf(MSG_DEBUG, "TLSv1: Send ChangeCipherSpec"); 752 753 payload[0] = TLS_CHANGE_CIPHER_SPEC; 754 755 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC, 756 *msgpos, end - *msgpos, payload, sizeof(payload), 757 &rlen) < 0) { 758 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 759 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 760 TLS_ALERT_INTERNAL_ERROR); 761 return -1; 762 } 763 764 if (tlsv1_record_change_write_cipher(&conn->rl) < 0) { 765 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set write cipher for " 766 "record layer"); 767 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 768 TLS_ALERT_INTERNAL_ERROR); 769 return -1; 770 } 771 772 *msgpos += rlen; 773 774 return 0; 775} 776 777 778static int tls_write_client_finished(struct tlsv1_client *conn, 779 u8 **msgpos, u8 *end) 780{ 781 u8 *pos, *hs_start; 782 size_t rlen, hlen; 783 u8 verify_data[1 + 3 + TLS_VERIFY_DATA_LEN]; 784 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 785 786 wpa_printf(MSG_DEBUG, "TLSv1: Send Finished"); 787 788 /* Encrypted Handshake Message: Finished */ 789 790#ifdef CONFIG_TLSV12 791 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 792 hlen = SHA256_MAC_LEN; 793 if (conn->verify.sha256_client == NULL || 794 crypto_hash_finish(conn->verify.sha256_client, hash, &hlen) 795 < 0) { 796 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 797 TLS_ALERT_INTERNAL_ERROR); 798 conn->verify.sha256_client = NULL; 799 return -1; 800 } 801 conn->verify.sha256_client = NULL; 802 } else { 803#endif /* CONFIG_TLSV12 */ 804 805 hlen = MD5_MAC_LEN; 806 if (conn->verify.md5_client == NULL || 807 crypto_hash_finish(conn->verify.md5_client, hash, &hlen) < 0) { 808 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 809 TLS_ALERT_INTERNAL_ERROR); 810 conn->verify.md5_client = NULL; 811 crypto_hash_finish(conn->verify.sha1_client, NULL, NULL); 812 conn->verify.sha1_client = NULL; 813 return -1; 814 } 815 conn->verify.md5_client = NULL; 816 hlen = SHA1_MAC_LEN; 817 if (conn->verify.sha1_client == NULL || 818 crypto_hash_finish(conn->verify.sha1_client, hash + MD5_MAC_LEN, 819 &hlen) < 0) { 820 conn->verify.sha1_client = NULL; 821 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 822 TLS_ALERT_INTERNAL_ERROR); 823 return -1; 824 } 825 conn->verify.sha1_client = NULL; 826 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 827 828#ifdef CONFIG_TLSV12 829 } 830#endif /* CONFIG_TLSV12 */ 831 832 if (tls_prf(conn->rl.tls_version, 833 conn->master_secret, TLS_MASTER_SECRET_LEN, 834 "client finished", hash, hlen, 835 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) { 836 wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data"); 837 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 838 TLS_ALERT_INTERNAL_ERROR); 839 return -1; 840 } 841 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (client)", 842 verify_data + 1 + 3, TLS_VERIFY_DATA_LEN); 843 844 /* Handshake */ 845 pos = hs_start = verify_data; 846 /* HandshakeType msg_type */ 847 *pos++ = TLS_HANDSHAKE_TYPE_FINISHED; 848 /* uint24 length */ 849 WPA_PUT_BE24(pos, TLS_VERIFY_DATA_LEN); 850 pos += 3; 851 pos += TLS_VERIFY_DATA_LEN; /* verify_data already in place */ 852 tls_verify_hash_add(&conn->verify, hs_start, pos - hs_start); 853 854 if (tlsv1_record_send(&conn->rl, TLS_CONTENT_TYPE_HANDSHAKE, 855 *msgpos, end - *msgpos, hs_start, pos - hs_start, 856 &rlen) < 0) { 857 wpa_printf(MSG_DEBUG, "TLSv1: Failed to create a record"); 858 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 859 TLS_ALERT_INTERNAL_ERROR); 860 return -1; 861 } 862 863 *msgpos += rlen; 864 865 return 0; 866} 867 868 869static u8 * tls_send_client_key_exchange(struct tlsv1_client *conn, 870 size_t *out_len) 871{ 872 u8 *msg, *end, *pos; 873 size_t msglen; 874 875 *out_len = 0; 876 877 msglen = 2000; 878 if (conn->certificate_requested) 879 msglen += tls_client_cert_chain_der_len(conn); 880 881 msg = os_malloc(msglen); 882 if (msg == NULL) 883 return NULL; 884 885 pos = msg; 886 end = msg + msglen; 887 888 if (conn->certificate_requested) { 889 if (tls_write_client_certificate(conn, &pos, end) < 0) { 890 os_free(msg); 891 return NULL; 892 } 893 } 894 895 if (tls_write_client_key_exchange(conn, &pos, end) < 0 || 896 (conn->certificate_requested && conn->cred && conn->cred->key && 897 tls_write_client_certificate_verify(conn, &pos, end) < 0) || 898 tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 899 tls_write_client_finished(conn, &pos, end) < 0) { 900 os_free(msg); 901 return NULL; 902 } 903 904 *out_len = pos - msg; 905 906 conn->state = SERVER_CHANGE_CIPHER_SPEC; 907 908 return msg; 909} 910 911 912static u8 * tls_send_change_cipher_spec(struct tlsv1_client *conn, 913 size_t *out_len) 914{ 915 u8 *msg, *end, *pos; 916 917 *out_len = 0; 918 919 msg = os_malloc(1000); 920 if (msg == NULL) 921 return NULL; 922 923 pos = msg; 924 end = msg + 1000; 925 926 if (tls_write_client_change_cipher_spec(conn, &pos, end) < 0 || 927 tls_write_client_finished(conn, &pos, end) < 0) { 928 os_free(msg); 929 return NULL; 930 } 931 932 *out_len = pos - msg; 933 934 wpa_printf(MSG_DEBUG, "TLSv1: Session resumption completed " 935 "successfully");
|