TLS: Pass version to tls_prf() in preparation for new PRFs
Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
cd52acec85
commit
d0485a6208
8 changed files with 22 additions and 12 deletions
|
@ -67,7 +67,8 @@ int tls_derive_keys(struct tlsv1_client *conn,
|
|||
os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
|
||||
os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
|
||||
TLS_RANDOM_LEN);
|
||||
if (tls_prf(pre_master_secret, pre_master_secret_len,
|
||||
if (tls_prf(conn->rl.tls_version,
|
||||
pre_master_secret, pre_master_secret_len,
|
||||
"master secret", seed, 2 * TLS_RANDOM_LEN,
|
||||
conn->master_secret, TLS_MASTER_SECRET_LEN)) {
|
||||
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive "
|
||||
|
@ -83,7 +84,8 @@ int tls_derive_keys(struct tlsv1_client *conn,
|
|||
key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len);
|
||||
if (conn->rl.tls_version == TLS_VERSION_1)
|
||||
key_block_len += 2 * conn->rl.iv_size;
|
||||
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
if (tls_prf(conn->rl.tls_version,
|
||||
conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
"key expansion", seed, 2 * TLS_RANDOM_LEN,
|
||||
key_block, key_block_len)) {
|
||||
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block");
|
||||
|
@ -536,7 +538,8 @@ int tlsv1_client_prf(struct tlsv1_client *conn, const char *label,
|
|||
TLS_RANDOM_LEN);
|
||||
}
|
||||
|
||||
return tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
return tls_prf(conn->rl.tls_version,
|
||||
conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
label, seed, 2 * TLS_RANDOM_LEN, out, out_len);
|
||||
}
|
||||
|
||||
|
|
|
@ -844,7 +844,8 @@ static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct,
|
|||
}
|
||||
conn->verify.sha1_server = NULL;
|
||||
|
||||
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
if (tls_prf(conn->rl.tls_version,
|
||||
conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
"server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
|
||||
verify_data, TLS_VERIFY_DATA_LEN)) {
|
||||
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
|
||||
|
|
|
@ -621,7 +621,8 @@ static int tls_write_client_finished(struct tlsv1_client *conn,
|
|||
}
|
||||
conn->verify.sha1_client = NULL;
|
||||
|
||||
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
if (tls_prf(conn->rl.tls_version,
|
||||
conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
"client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
|
||||
verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
|
||||
wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
|
||||
|
|
|
@ -268,7 +268,7 @@ const char * tls_version_str(u16 ver)
|
|||
}
|
||||
|
||||
|
||||
int tls_prf(const u8 *secret, size_t secret_len, const char *label,
|
||||
int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
|
||||
const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
|
||||
{
|
||||
return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
|
||||
|
|
|
@ -220,7 +220,7 @@ void tls_verify_hash_add(struct tls_verify_hash *verify, const u8 *buf,
|
|||
void tls_verify_hash_free(struct tls_verify_hash *verify);
|
||||
int tls_version_ok(u16 ver);
|
||||
const char * tls_version_str(u16 ver);
|
||||
int tls_prf(const u8 *secret, size_t secret_len, const char *label,
|
||||
int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
|
||||
const u8 *seed, size_t seed_len, u8 *out, size_t outlen);
|
||||
|
||||
#endif /* TLSV1_COMMON_H */
|
||||
|
|
|
@ -49,7 +49,8 @@ int tlsv1_server_derive_keys(struct tlsv1_server *conn,
|
|||
os_memcpy(seed, conn->client_random, TLS_RANDOM_LEN);
|
||||
os_memcpy(seed + TLS_RANDOM_LEN, conn->server_random,
|
||||
TLS_RANDOM_LEN);
|
||||
if (tls_prf(pre_master_secret, pre_master_secret_len,
|
||||
if (tls_prf(conn->rl.tls_version,
|
||||
pre_master_secret, pre_master_secret_len,
|
||||
"master secret", seed, 2 * TLS_RANDOM_LEN,
|
||||
conn->master_secret, TLS_MASTER_SECRET_LEN)) {
|
||||
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive "
|
||||
|
@ -64,7 +65,8 @@ int tlsv1_server_derive_keys(struct tlsv1_server *conn,
|
|||
os_memcpy(seed + TLS_RANDOM_LEN, conn->client_random, TLS_RANDOM_LEN);
|
||||
key_block_len = 2 * (conn->rl.hash_size + conn->rl.key_material_len +
|
||||
conn->rl.iv_size);
|
||||
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
if (tls_prf(conn->rl.tls_version,
|
||||
conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
"key expansion", seed, 2 * TLS_RANDOM_LEN,
|
||||
key_block, key_block_len)) {
|
||||
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive key_block");
|
||||
|
@ -449,7 +451,8 @@ int tlsv1_server_prf(struct tlsv1_server *conn, const char *label,
|
|||
TLS_RANDOM_LEN);
|
||||
}
|
||||
|
||||
return tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
return tls_prf(conn->rl.tls_version,
|
||||
conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
label, seed, 2 * TLS_RANDOM_LEN, out, out_len);
|
||||
}
|
||||
|
||||
|
|
|
@ -1063,7 +1063,8 @@ static int tls_process_client_finished(struct tlsv1_server *conn, u8 ct,
|
|||
}
|
||||
conn->verify.sha1_client = NULL;
|
||||
|
||||
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
if (tls_prf(conn->rl.tls_version,
|
||||
conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
"client finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
|
||||
verify_data, TLS_VERIFY_DATA_LEN)) {
|
||||
wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data");
|
||||
|
|
|
@ -609,7 +609,8 @@ static int tls_write_server_finished(struct tlsv1_server *conn,
|
|||
}
|
||||
conn->verify.sha1_server = NULL;
|
||||
|
||||
if (tls_prf(conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
if (tls_prf(conn->rl.tls_version,
|
||||
conn->master_secret, TLS_MASTER_SECRET_LEN,
|
||||
"server finished", hash, MD5_MAC_LEN + SHA1_MAC_LEN,
|
||||
verify_data + 1 + 3, TLS_VERIFY_DATA_LEN)) {
|
||||
wpa_printf(MSG_DEBUG, "TLSv1: Failed to generate verify_data");
|
||||
|
|
Loading…
Reference in a new issue